CVE-2026-52933
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the io_uring/poll mechanism where a signed comparison in io_poll_get_ownership() prevented the slowpath from being taken when the cancel flag (IO_POLL_CANCEL_FLAG) was set. This caused cancel operations to be mishandled.
Risk Assessment
The risk is that an attacker could exploit this flaw to trigger a use-after-free or other memory corruption issue, potentially leading to privilege escalation or system crash.
Recommendation
It is recommended to immediately update the Linux kernel to a version containing the fix (casting the atomic_read() result to unsigned int before the comparison).
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix signed comparison in io_poll_get_ownership() io_poll_get_ownership() uses a signed comparison to check whether poll_refs has reached the threshold for the slowpath: if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG (BIT(31)) is set in poll_refs, the value becomes negative in signed arithmetic, so the >= 128 comparison always evaluates to false and the slowpath is never taken. Fix this by casting the atomic_read() result to unsigned int before the comparison, so that the cancel flag is treated as a large positive value and correctly triggers the slowpath.

